An Emerging Threat Fileless Malware: a Survey and Research Challenges Sudhakar1,2* and Sushil Kumar3

Sudhakar and Kumar Cybersecurity (2020) 3:1 Cybersecurity https://doi.org/10.1186/s42400-019-0043-x

SURVEY Open Access An emerging threat Fileless malware: a survey and research challenges Sudhakar1,2* and Sushil Kumar3

Abstract With the evolution of cybersecurity countermeasures, the threat landscape has also evolved, especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware. Fileless malware does not use traditional executables to carry-out its activities. So, it does not use the file system, thereby evading signature-based detection system. The fileless malware attack is catastrophic for any enterprise because of its persistence, and power to evade any anti-virus solutions. The malware leverages the power of operating systems, trusted tools to accomplish its malicious intent. To analyze such malware, security professionals use forensic tools to trace the attacker, whereas the attacker might use anti-forensics tools to erase their traces. This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature. We present a process model to handle fileless malware attacks in the incident response process. In the end, the specific research gaps present in the proposed process model are identified, and associated challenges are highlighted. Keywords: Fileless malware, Botnet, Incident response, Memory forensics, Incident investigation, Memory resident malware, Rootkit

Introduction Tian et al., 2019a). The attacker has been using malware Throughout the history of the malicious programs, there for its capabilities to control the compromised systems lo- is one thing which had remained unchanged, the devel- cally or remotely. Although, the operating systems itself opment of the malware program. Someone had to providing several capabilities to the attacker. develop the code in such a manner so that no existing The attackers are mostly involved in exploring vulner- anti-virus (AV) software can detect its presence in the abilities in the legitimate software that are already installed system. In 2002, the development of the malware indus- in the machine such as flash player, web-browser, PDF try had changed the entire threat landscape. This viewer and Microsoft office to exploit and load a script malware has the capability of residing in the system’s directly into the main memory without even touching the main memory undetected making least changes in the local file systems (Pontiroli & Martinez, 2015;Ranietal., file system. This strategy has become the non-malware 2019). In Windows Operating Systems, two most powerful or fileless malware (Patten, 2017; Kumar et al., 2019a). tools and. NET framework are already installed which at- When a system is detected as the compromised by tacker can use to exploit the vulnerability, one is WMI some malicious program or malware, the very first thing (Windows Management Instrumentation) (Graeber, 2015) a forensic expert will work to look for some malicious and second is PowerShell. WMI came into the limelight of programs or software that should not be there. However, the cybersecurity community when it was discovered that in this case, there is none because the fileless malware it is used maliciously as a component in the suite of ex- does not reside in the file system, it is a running ploits by Stuxnet (Falliere et al., 2011; Farwell & Roho- program in the memory (Mansfield-Devine, 2017; zinski, 2011). Since then, WMI has been gaining popularity amongst the attackers, because it can perform * Correspondence: [email protected] system reconnaissance, AV/VM (Virtual Machine) detec- 1 School of Computer & Systems Sciences, Jawaharlal Nehru University, tion, code execution, lateral movement, persistence, and 110067, New Delhi, India 2Indian Computer Emergency Response Team, Ministry of Electronics & data theft. Similarly, in the case of PowerShell, it is a Information Technology, 110003, New Delhi, India highly flexible system shell and scripting platform for the Full list of author information is available at the end of the article

© The Author(s). 2020 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 2 of 12

attacker to provide all the features in the different stages patterns in the process, registry, minor changes in of an intrusion. Since, it can also be used to bypass anti- file systems, and event logs. virus detection, maintain persistence or infiltrate data. For We proposed a novel investigative model of incident example: In 2016, a hacker group infiltrates into the DNC handling and response, especially in fileless malware. (Democratic National Committee) with fileless malware. The model includes all the phases with memory In this incident, the PowerShell and WMI were used as forensic, analysis and investigation of such incidents. the attack vectors (Report, 2016). In recent time, malware developers have adopted the The rest of the paper is organized as shown in Table 1. high-level language in the development of the malicious codes that have changed the malware industry. After the re- Background of Fileless malware lease of Microsoft .Net framework, it became the center of Unlike traditional file-based malware attacks, instead of attraction for all the windows software developers and un- using real malicious executables, it leverages trusted, intentionally revolutionizedthemalwareindustry(Tian legitimate processes i.e. LOLBins (Living off the Land et al., 2019b;Tianetal.,2019c). It gives the malware writers Binaries) (Living Off The Land Binaries And Scripts - a new and powerful arsenal equipped with all the features (LOLBins and LOLScripts), 2019) and built-in tools of to make a malware undetected and stay ahead of the anti- operating systems to attack and hide. The detailed virus software. With the use of this framework, malware comparisons between traditional file-based malware and creator may easily interact with the operating system and fileless malware are mentioned in the Table 2 (Afianian exploit vulnerabilities with the entire catalog of products et al., 2018). In this section, the formal definition of the with the help of the framework (Patten, 2017;Pontiroli& fileless malware and execution techniques along with the Martinez, 2015; Tian et al., 2019d;Bhasinetal.,2018). The system tools, is discussed. The section also elaborates on attacker uses a tool like PowerShell to coordinate attacks the infection technique used by such malware with with the help of existing toolkits such as meterpreter attack vectors, as shown in Fig. 1. (About the Metasploit Meterpreter, 2019), SET (Social En- gineering Toolkit) (Pavković &Perkov,n.d.), or the Metas- Definition ploit Framework including an extensive list of modules that Fileless malware attacks do not download malicious files are already built-in and ready to use for the purpose of or write any content to the disk in order to compromise plotting additional attacks (Tian et al., 2018). the systems. The attacker exploits merely the vulnerable The fileless malware attacks in the organizations or application to inject malicious code directly into the targeted individuals are trending to compromise a tar- main memory. The attacker can also leverage the trusted geted system avoids downloading malicious executable and widely used applications, i.e., Microsoft office or ad- files usually to disk; instead, it uses the capability of ministration tools native to Windows OS like PowerShell web-exploits, macros, scripts, or trusted admin tools and WMI to run scripts and load malicious code directly (Tan et al., 2018; Mansfield-Devine, 2018). Fileless mal- into volatile memory (Stop Fileless Attacksat Pre- ware can plot any attacks to the systems undetected like execution, 2017; Zhang, 2018). The procedures and at- reconnaissance, execution, persistence, or data theft. tack vectors are mentioned in Fig. 1. There are not any limitations on what type of attacks can be possible with fileless malware. This survey in- Execution of fileless malware cludes infection mechanisms, legitimate system tools The malware authors have leveraged the advantage of used in the process, analysis of major fileless malware, two powerful legitimate windows applications Windows research challenges while handling such incidents in the Management Instrumentation and PowerShell to exe- process of incident and response. This type of study was cute their malicious binaries to make the attack un- not done in the literature, which includes the different detected by AV solutions (Graeber, 2015). perspectives of fileless malware. The main contributions The life cycle of the fileless malware works in three of the paper are mentioned below. phases. First, attack vector, which has methods through which the attacker targets their victims. Second, the The background of the malware with evasion and execution mechanism in this the initial malicious code propagation techniques used to identify targets and could try to create a registry entry for its persistence or stay undetected in the victim machines. WMI object with VBScript/JScript to invoke an instance We analyze the behavior of all the fileless of PowerShell. Third, PowerShell can further able to exe- malware and discuss their persistent mechanisms cute the malicious program into the legitimate process in detail. memory directly without dropping any files to the file We analyze many solutions given by researchers to system making its target compromised by fileless mal- detect such malware by analyzing the malicious ware; the infection life cycle is shown in Fig. 1. Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 3 of 12

Table 1 Outline of the paper Section Description Introduction The change in cybersecurity threat-landscape and associated threat actors over time, especially in malware perspective from traditional file-based malware to fileless malware. This section also includes the motivation and contribution of this survey. Background of Fileless Malware This section explains the definition of fileless malware and exploits mechanism with tools through which the initial infection of fileless malware. Analysis of Fileless Malware Based on Their This section have the analysis of the behavior of fileless malwares and classify them into their Persistent Techniques persistent mechanism to hide and execute into the targeted systems. Detection Techniques for Fileless Malware This section presents the prevention and detection systems are used to detect the malicious programs running in memory, leaving no physical file on the compromised system. The section presents the detection mechanism to detect these type of malicious programs. Proposed Process Model for Incident A novel investigative framework is proposed to break-down the analysis into simple steps for Response effective detection and analysis of root-cause of such attacks. Research Challenges The problems which are facing by the state-of-art investigation procedure in each step are explained in detail. Conclusion In this section, we concluded the paper.

Windows management instrumentation detection, code execution, lateral movement, covert data With the emergence of new technologies, many changes storage, to persistence. Using these capabilities of WMI, have occurred in the Windows Operating System over the an attacker can build a pure backdoor without even drop- period, but WMI remains powerful since Windows NT ping the single file to the file system. In addition to this, it 4.0, and Windows 95. It has an excellent reputation in the can be used to execute malicious JavaScript/VBScript dir- security community to launch an attack across many ectly in the memory to possibly evade the AV solutions phases of the attack life-cycle like reconnaissance, AV/VM (Graeber, 2015;O’Murchu & Gutierrez, 2015;Ruff,2008).

Table 2 Comparison between file-based malware and fileless malware Techniques Traditional file-based malware Fileless malware Source code Yes No Malicious file Yes No Malicious process Yes No (Uses trusted OS processes) Complexity Moderate Very high Detection complexity Moderate Very high Persistence Medium Low File Types • Executable files • JavaScrpt • Script embedded in a format that executes • WMI scripts (PDF, Word, Excel etc.,) • PowerShell • Flash • WScript/ CScript Targets Executable file with single targeted OS/ patch level Can target many different OS/ path level combination combinations Obfuscation methods • Encrypt file • Encoding • Archive file • Escaped ASCII/ Unicode values • Executable file disguised as another type of file • String splitting • Executable file embedded in another file • Encryption • Randomization • Data obfuscation • Logic structure obfuscation • White space Anti-virus detection Possible with known signature Not possible Sandboxes detection Physically availability of file Not possible Behavior-based heuristics and File-based malware shows abnormal behavior in the system Fileless attacks are designed to behave like a benign unsupervised machine learning after compromising the targeted host. Hence, these systems process in the system, so they may not alarm as an are designed to detect such behavior. anomaly. Hence, very difficult to detect. Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 4 of 12

Fig. 1 Infection flow of fileless malware

PowerShell (Demystifying Fileless Threats, 2019; Rivera & Inocencio, PowerShell has a rich number of features to facilitate the 2015). attacker to even bypasses the detection capability of AV solutions to maintain persistence or spy on the system. Memory-resident malware Windows operating system has already whitelisted many The malware that wholly resides in the main memory modules for PowerShell. For example, evasive techniques without touching the file systems. It uses only legitimate (Bulazel & Yener, 2017) can be used to dynamically load process or authentic windows files to execute and stays PowerShell scripts into the memory without even writ- there until it triggered. The malware having such cap- ing anything on the file system (Pontiroli & Martinez, abilities are described in this section: 2015; Case & Richard III, 2017). Code Red (Zou et al., 2002; Danyliw & Householder, 2001; Rhodes, 2001): Code red infect Microsoft’s Inter- net Information Server (IIS) of version 4.0 and 5.0 hav- Analysis of Fileless malware based on their ing known buffer overflow vulnerability. The system is persistent techniques infected when server GET/default.ida request on TCP There are major three categories of fileless malware, port 80 allowing the worm to run code on the server. which are described below by their persistence tech- SQL Slammer (O’Murchu & Gutierrez, 2015;MSSQL niques and detailed classification of their attack vectors Slammer/Sapphire Worm, 2003): SQL Slammer is a com- in Table 3. The fileless malware can hide their location puter worm (SQL Slammer, 2019). It has the power to to make difficulties in the process of detection by trad- choke the bandwidth of the network resulting in a denial- itional AV solutions and also for the security analyst of-service condition. The worm has used the method to

Table 3 Classification of Attack Vectors for Fileless Malware detection Functionality/ Memory Resident Malware Windows Registry Malware Rootkit Malware Attack Vector SQL Slammer Code Red Poweliks Lurk PowerWare Kovter Phase Bot Infection method In memory In memory In memory In memory In memory Registry In memory Configuration data In memory In memory In memory In memory No Registry Registry Injection data In memory In memory Registry In memory No Registry Registry Persistence method No No Registry No No Registry Registry Malware Category Worm Worm Click fraud Bot Trojan Ransomware Ad-Click fraud Bot Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 5 of 12

propagate and infect by scanning the buffer-overflow vul- of commands to achieve its malicious venture. Once the nerability over the internet. execution is completed PowerShell losses all the envir- Lurk Trojan (Golovanov, 2012; Shulmin & Prokhor- onment variables and it does not log the list of executed enko, 2016): Lurk is a banking Trojan, infection could commands due to this, it leaves little chance to recover be possible either using command “regsrv32” and “netsh the script executed and the sample or information about add helper dll” or via the ShellIconOverlayIdentifiers the final payload (Zaharia, 2016). branch of the system registry. The Trojan uses its specific features to gain access to the users’ sensitive data, Persistence mechanism - JavaScript code is added and with the help of it, an attacker can compromise into the registry and is executed by a legitimate their online banking services. Windows file, mshta.exe, via WMI instead of Poweliks (O’Murchu & Gutierrez, 2015;Team,2017; mshtml.dll: Zeltser, 2017): Poweliks is fileless malware that is further being developed from file-based malware, known as Wow- HKLM\path{\Software\Microsoft\Windows\Current liks. The malware installs itself into the registry as well as Version\Run}. use it to persist in the system, thus escape from AV solu- Data: mshta javascript: {javascript code}. tions as it did not leave any files written on the disk. Also, Kovter decrypts the first stage JavaScript code, which re- the malware installs PowerShell in the background with- sides in the registry leading to the second stage JavaScript out alarming the defensive system if the system does not containing a PowerShell script, which decodes the have it already. The system is penetrated by exploiting the encoded shellcode and injects it to the legitimate windows Microsoft Office vulnerabilities and used the PowerShell process (regsvr32.exe) to execute, using a technique called along with JavaScript with shellcode to directly execute Process Hollowing (Process Hollowing, 2019). The flow of into legitimate memory. The attack vectors are compared injecting shellcode is mentioned in Fig. 2. between Wowliks and Poweliks in Table 4. PowerWare (Valdez & Sconzo, 2016): It is a fileless ransomware, which is mostly delivered via a macro- Persistence mechanism - Poweliks uses system enabled Microsoft Word document. The malware uses registries to achieve persistence, to stay undetected. the core utilities of windows operating the system such It added two registries to the run key. First, in the as PowerShell. By leveraging the capabilities of it, the form of JavaScript program encoded data written ransomware entirely avoids writing any file on the disk under (Default) value and other is the autorun entry and perform its malicious activities. that reads and decodes the encoded JavaScript data. Rootkits fileless malware Windows registry malware An attacker can install this kind of malware after getting Registry is the database for storing low-level settings of the administrator level privilege to hide the malicious code the Windows operating system and some critical apps. In into the kernel of the Windows operating system. While there, the malware authors managed to store complete this is not a 100% fileless infection either, it fits here. malicious code into the registry in an encrypted manner, Phase Bot (Zeltser, 2017; Phase Bot - A Fileless Rootkit to make it undetected. To obtain the persistence, it can (Part 1), 2014; Phase Bot - A Fileless Rootkit (Part 2), exploit some operating systems thumbnail cache using 2014): It is a type of bot, which can grab its’ victim infor- registry. However, the file is set to self-destruct once it mation by applying form-grabbing approach (Sood et al., carried out its malicious task (Wueest & Anand, 2017). 2011) and stealing FTP data connection (Allman & Kovter (Team, 2017; Fileless Malware - A Behavioural Ostermann, 1999) with the ability to run without a file. Analysis Of Kovter Persistence, 2016): Kovter can con- Phase hides its relocatable code encrypted in the registry ceal itself in the registry and maintain persistence and uses PowerShell to read and execute this independ- through the use of registry run key. The infection mech- ent position code into memory. Both Phase Bot and anism of Kovter has the feature to leave very few file Poweliks uses similar persistence mechanism. traces of artifacts. It uses PowerShell for the execution Detection techniques for Fileless malware Table 4 The Evolution of Poweliks In the case of fileless malware, PowerShell and WMI Functionality/ Attack Vector Wowliks Poweliks could be used to reconnaissance, establishing persist- Infection method File-based In memory ence, lateral movement, remote command execution, Configuration data On-disk In memory and file transfer, make it difficult to track evidence left behind during a compromise (Pontiroli & Martinez, Injection data DLL file on disk Registry 2015). In order to detect such malware infection, various Persistence method DLL file on disk Registry techniques (Section 4.1–4.3) have been proposed by the Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 6 of 12

Fig. 2 Shellcode injection flow

researchers in their work. First two techniques (Section b. Event ID 7040: If the service has been changing to 4.1 and Section 4.2) are manual inspection techniques, auto-start from disabled/demand start of the Win- need a security professional to look into the evidence dows Remote Management (WS-Management). prescribed by the researcher to successfully identify such c. Event ID 10148: This event is responsible for attacks, whereas the third technique (Section 4.3) is only listening to the specific IP and Port for WS- a concept yet to implement. Management related requests.

Detection by monitoring the behaviour of the system Detection by rule-based In order to detect fileless malware, the system needs to con- Majority of malicious programs spread across the inter- sider two things. First, the processes which have elevated net via targeted by the attacker or by the botnet to find privileges after becoming live into the memory and Second, the vulnerable victim is packed with Microsoft Office ap- monitor the security events for the program execution by plications such as winword.exe, excel.exe, and power- command-line console or PowerShell (Pontiroli & Marti- pnt.exe. Furthermore, the detection of such programs, nez, 2015). which trigger the cmd.exe or powershell.exe, could be malicious. Hence, the detection mechanism may work 1. The attacker first aim is to gain the root access to its by the rule that can distinguish between benign process victim machine to take the full privilege of the and malicious process (Valdez & Sconzo, 2016). PowerShell. To identify fileless infections, the system These similar rules can be implemented in the needs to monitor all the essential features that are browsers to block such malicious apps from executing accomplished by PowerShell capabilities, such as: PowerShell and Command prompt. This should also help with other types of malware leveraging other a. Remote command execution by the PowerShell. Microsoft Office applications as mentioned in Fig. 3. b. Change of standard user privilege to administrative CASE-1: privilege to access WMI and .NET Framework base ProcessName: cmd.exe AND class library. (parentName: winword.exe OR parentName: c. Programs, which are executing in the main excel.exe OR parentName: powerpnt.exe OR memory, may be malicious. parentName: outlook.exe) AND chilprocessName: powershell.exe CASE-2: 2. It is essential to identify the principal sources of ProcessName: cmd.exe AND information such as network traffic, network (parentName: winword.exe OR parentName: connections, and suspicious modifications to excel.exe OR parentName: powerpnt.exe OR particular Windows registry keys. In addition, the parentName: outlook.exe) CASE-3: Windows event log, being on guard for clear ProcessName: powershell.exe AND indicators that may suggest the malicious activity parentName: winword.exe CASE-4: has taken place. Some of the indispensable events ProcessName: powershell.exe AND need to be adequately monitored, such as: filemodCount: [1000 to *]

Detection by learning behavior of attack a. Event ID 4688: The system needs to monitor all A framework can be developed in the paradigm of the newly created processes whose parent process is client-server, wherein all the endpoints have a client de- PowerShell. ployed, and a server in the cloud. The framework is Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 7 of 12

Fig. 3 Malicious process flow

divided into three stages, like capturing events, tagging an incident response team to handle cybersecurity inci- events, and learning from the events. In this system, the dents. The team can follow this process model and process client can capture all the generated events by the host flow to investigation the root cause of such attacks. machine as mentioned in the Fig. 4, to monitor the full The analysis of evidence and artifacts are starts from stream of activity. In addition, the client also assigns a the examination stage, where forensic examiner con- tag to each event appropriately to uncover the attacker’s cludes whether the malware sample needs to investigate progress. At last, in the server, many analysis engines further. In this scenario, the attack pattern can be identi- working on the tagged-events supplied by the client to fied with the help of many techniques. Which are useful detect the malicious activity in the host machine. The in detecting anomalies between the benign and mali- tagged-events will be the raw data for learning algo- cious behavior of the system. rithms and analyzing the behavior of the patterns to prevent or detect malicious activity through the co-relation amongst the event streams (Series, 2019). Preparation The primary motive of this phase is continuous capability Proposed process model for incident response enhancement of the handling incident based on risk as- The proposed model is especially for malware related inci- sessment and experiences of the incident handling team. dents both in real-time attacks and after attack scenarios. In this context, regular training of the individual incident The process flow diagram and block diagram are thor- handler needs to be arranged to keep them ready for new oughly explained in Fig. 5 and Fig. 6. The first five-phase security threats and related security tools for more sophis- (including incident response) is for the identification and ticated malicious programs like fileless malware, botnet, investigation of the incident. Each organization should have APT (Advanced Persistent Threat) and DDoS.

Fig. 4 A framework to detect and prevent fileless malware attacks Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 8 of 12

Fig. 5 A process model for memory forensics

An incident handler needs to gather all available informa- Collection tion about the incident. To facilitate the incident handler, The evidence of the incident can be acquired from the forensic software and most advanced malware analysis tools sensors, which are in place in the network or from the are required. In case of occurrence of such incidents, an compromised machines. The sensors can be honeypot/ organization must have a policy in place containing report- honeynet (Watson & Riden, 2008) to collect malicious ing, information sharing, especially with outside organiza- samples or to capture the network behavior. All the col- tions such as law enforcement (Khurana et al., 2009). lected evidence are preserved for further analysis and investigation purpose, as mentioned in Fig. 6. All the Detection analysis and investigation must be done on a copy of the original data, and the original evidence file is untouched In the organization, security tools (anti-malware agents, to facilitate legal requirements (Khurana et al., 2009). intrusion detection/prevention systems, network sandboxes, and firewalls, etc.) must installed in their infra- Examination structure to prevent and detect it from the security The traces obtained from various security sensors are in- breaches and policy violations. If any alert tegrated and fused to form one extensive data set on are unauthorized events or anomalies triggers, then it re- which analysis can be performed. The data set may con- quires a security analyst to examine logs and analyze the tain redundant information, which needs to be removed root cause of the unauthorized event (Shackleford, and rectified efficiently. In this process, the crucial data 2016). The malicious events could lead to the existence should be intact (Khurana et al., 2009; Ren, 2004). The of malware, which could be determined by the various indicators of cybercrime can be searched from the ex- parameters, and quick validation can be done to confirm tensive data set of evidence like malicious network traffic the attack. The validation is required to determine (Pilli et al., 2010; Tobergte & Curtis, 2013). The finding whether to investigate the suspected attack or ignore it. may be shared with the development team of security This phase can generate two branches – incident re- tools for improvement purposes (Case & Richard III, sponse and collection (Pilli et al., 2010). 2017; Cohen, 2017; Burdach, 2006).

Incident response Analysis & Investigation The reactive and proactive response will be generated for While analysis of such incidents, an expert should con- intrusion detection according to the organization’spolicy sider the behavior of the systems such as registry entries, and guidelines. The damage already caused due to a network communication, operating system fingerprint- cyberattack could be mitigated, and future action plans ing, memory analysis, and process analysis to match for can be determined for such attacks. In addition, a similar any malicious activities. Thorough investigations must response with more information obtained from the be performed from a victim network or system through investigation can be initiated (Khurana et al., 2009; any intermediate nodes and communication pathway to Pilli et al., 2010). pinpoint from where the attack originated. Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 9 of 12

Fig. 6 The process flow of cybersecurity incident handling and response

The attacker can remove their footprints from the prevention and detection systems. Since, there are no crime scene, such as securely delete the log files, pay- files written on the disk, when the malware is persisting loads, registry entries, and cookies. IP spoofing and step- exclusively through process memory and registry files. ping stone attack strategies can also be used by the The malicious process is not accessible without doing attacker to hide their IP address (Vacca, 2013). The in- in-memory analysis because the source code of the vestigation phase provides data for incident response process is not available. The fileless attacks can evade and prosecution of the attacker (Khurana et al., 2009; these AV tools without triggering alarms as deduce from Pilli et al., 2010). the eq. 1.

No Code OR Files⇒No Detection ð1ð1ÞÞ Representation All the findings from the different phases, such as exam- In the process of prevention, detection, and collection ination and analysis/investigations, are collected and pre- of the malicious files or attack vectors in the infrastruc- sented in a proper, understandable language for legal ture poses the various research challenges in incident purposes with evidence. The detailed documentation can handling and response, which are discussed in the fol- be presented in the form of a report with visualization lowing subsections. In Table 5, the specific and common so that they could be easily grasped (Khurana et al., challenges are compared for both file-based and fileless 2009; Pilli et al., 2010). malware.

Research challenges Detection and collection Fileless malware already presents a significant problem, The first step to detect the fileless malware attacks is to and it is gaining further popularity among attackers be- identify the malicious pattern of the system and the mali- cause it is undetectable by traditional file-based cious scripts, which are running in the memory. The Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 10 of 12

Table 5 Comparison of challenges between file-based and fileless malware Challenges File-based malware Fileless malware 1. Detection and Malicious files are available and detect by the AV solutions. Since, the malicious files are unavailable, it required to do in-depth collection memory analysis for the identification of malicious programs running in memory and collect malicious patterns as evidence. 2. Examination Perform static and dynamic analysis of the malicious sample To establish and validate the attack, all pieces of evidence, such as to extract indicators of compromises (IOCs). network events, logs of all security tools, and hosts are required to examine. 3. Analysis & Co-relate the intention of the attacker from the IOCs and Co-relate the intention of the attacker from the IOCs and investigation investigate the attacker IP through mapping with IP- investigate the attacker IP through mapping with IP-geolocation. geolocation. 4. Incident The accurate response of malicious activity should be The accurate response of malicious activity should be response communicated to mitigate the threat. communicated to mitigate the threat. malicious scripts are interpreted files such as JavaScript, attack. Characterization of anomalous network events, Visual Basic, and PowerShell, which also need to consider the malicious behavior of the system, and distinguishing as a parameter of detection engine. However, some points attack traffic from legitimate traffic by searching for pat- raise even more significant questions for the researcher terns of anomalies is a significant challenge (Stop Fileless (Gorelik & Moshailov, 2017): Attacksat Pre-execution, 2017).

Are we want to scan all text files, scripts, and XML Analysis & Investigation files? The large volume of data can be used to scrutinize to Are we to build a parser/interpreter for each type of understand the relationship of attack and attacker interpreted files? intention, to do so the classification and clustering tech- Are we to block any suspicious string, even if it is niques can be used on the suspected data events to sep- just a comment in the scripts? arate the benign events and malicious events (Aljaedi et al., 2011). Pattern recognition can be used to find Researchers are facing these questions when trying to anomalies in the malicious events. A malicious cluster balance false positive in early detection systems. The de- can help to categorize the attack patterns and attack re- tection system must consider different attack vectors construction to uncover the motivation and intention of and source of evidence to block fileless attacks at the the attacker can be a challenge (Almulhem, 2009). pre-execution stage. It must leverage the machine- All the collected evidence needs a thorough investiga- learning algorithm to analyze command lines, scrutinize tion to find the source IP of the attacker. Security internet connections, monitor process behavior and pro- researchers are facing problems to trace back the tect the memory space of the running process to detect attacker IP address due to the advanced techniques of IP such attacks (Stop Fileless Attacksat Pre-execution, spoofing (Mitropoulos & Dimitrios Patsos, 2005). 2017). The system should collect all the relevant data Identifying a mechanism to find the IP location mapping from different sources to feed on the machine learning with attacker geolocation is itself a significant challenge algorithm and get the best out of it (Tobergte & Curtis, (Nikkel, 2007). 2013; Tian et al., 2019e; Kumar et al., 2019b). The data from the different sources may be quite large, so to han- Incident response dle the data, the system can use big data technologies In the whole process, the incident response is the phase (Sudhakar & S.K., 2018) with a machine learning algo- where the result is reflected. The response should be rithm for more efficient results. quick and accurate so that the malicious activity should be mitigated and attacker unable to damage any further Examination (Khurana et al., 2009; Aljaedi et al., 2011). The system is compromised with fileless malware having less possible to find traces of malicious activity. Al- Conclusion though the evidence must be collected from different Security defenders should have a significant focus on de- sources. Data fusion of all the evidence and logs col- tecting and preventing fileless malware attacks. The at- lected from various security tools deployed in each host tackers use the legitimate application to fulfill their on the entire network is major challenges faced by the malicious motives. Since, the PowerShell and WMI can security researchers (Ren, 2004). The traces from the also be used to bypass signature-based detection sys- logs, attack vectors from various tools and reconnais- tems, maintain persistence or ex-filtrate data makes it sance of attributes from different hosts validate an difficult to detect malicious activities. In this paper, we Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 11 of 12

categorized most of the existing detection methods and Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec types of fileless malware, which are targeting the real Corp., Security Response 5(6), 29 (2011) Farwell JP, Rohozinski R (2011) Stuxnet and the future of cyber war. Survival world. The proliferation of non-malware attacks has only 53(1):23–40. https://doi.org/10.1080/00396338.2011.555586 accentuated this issue. Major global hacks against Fileless Malware - A Behavioural Analysis Of Kovter Persistence (2016). https:// SWIFT (Society for Worldwide Interbank Financial airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter- persistence/ Telecommunication) and the Ukraine power grid, Golovanov, S.: A unique `bodiless' bot attacks news site visitors (2012). https:// among others, have served as clarion calls that critical securelist.com/a-unique-bodiless-bot-attacks-news-site-visitors-3/32383/ infrastructure and worldwide financial systems will con- Gorelik, M., Moshailov, R.: Fileless Malware: Attack Trend Exposed (2017). http://blog. morphisec.com/fileless-malware-attack-trend-exposed Accessed 2018-05-02 tinue to be targeted by this type of sophisticated attacks. Graeber M (2015) Abusing windows management instrumentation (WMI) to build a persistent, asynchronous, and fileless backdoor. Black Hat, Las Vegas Acknowledgements Khurana H, Basney J, Bakht M, Freemon M, Welch V, Butler R (2009) Palantir: a Not applicable. framework for collaborative incident response and investigation. In: Proceedings of the 8th symposium on identity and trust on the internet, pp Author’s contribution 38–51 ACM The first author conceived the idea of the study and wrote the paper; all Kumar S, Dohare U, Kumar K, Prasad Dora D, Naseer Qureshi K, Kharel R (2019a) authors discussed and revised the final manuscript. All authors read and Cybersecurity measures for geocasting in vehicular cyber physical system approved the final manuscript. environments. IEEE Internet Things J 6(4):5916–5926. https://doi.org/10.1109/ JIOT.2018.2872474 Funding Kumar S, Singh K, Kumar S, Kaiwartya O, Cao Y, Zhou H (2019b) Delimitated anti Not applicable. jammer scheme for internet of vehicle: Machine learning based security approach. IEEE Access 7:113311–113323 Availability of data and materials Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) (2019). Not applicable. https://github.com/LOLBAS-Project/LOLBAS Mansfield-Devine S (2017) Fileless attacks: compromising targets without – Competing interests malware. Netw Secur 2017(4):7 11 The authors declare that they have no competing interests. Mansfield-Devine, S.: The malware arms race. Computer Fraud & Security 2018(2), 15{20 (2018) Author details Mitropoulos S, Dimitrios Patsos CD (2005) Network forensics towards a classification 1School of Computer & Systems Sciences, Jawaharlal Nehru University, of traceback mechanisms. In: Workshop of the 1st International Conference on 110067, New Delhi, India. 2Indian Computer Emergency Response Team, Security and Privacy for Emerging Areas in Communication Networks, pp 9–16 Ministry of Electronics & Information Technology, 110003, New Delhi, India. MS SQL Slammer/Sapphire Worm (2003). https://www.giac.org/paper/gsec/3091/ 3School of Computer & Systems Sciences, Jawaharlal Nehru University, ms-sql-slammer-sapphire-worm/105136 110067, New Delhi, India. Nikkel BJ (2007) An introduction to investigating IPv6 networks. Digit Investig 4(2):59–67. https://doi.org/10.1016/J.DIIN.2007.06.001 Received: 29 July 2019 Accepted: 23 December 2019 O’Murchu L, Gutierrez FP. The evolution of the fileless click-fraud malware poweliks. Symantec Corp. (2015) Patten, D.: The evolution to fileless malware (2017). http://www.infosecwriters. References com/Papers/DPatten Fileless.pdf ć — About the Metasploit Meterpreter (2019). https://www.offensive-security.com/ Pavkovi N, Perkov L Social engineering toolkit a systematic approach to social metasploit-unleashed/about-meterpreter/ engineering. In: 2011 proceedings of the 34th international convention Afianian A, Niksefat S, Sadeghiyan B, Baptiste D (2018) Malware dynamic analysis MIPRO 2011 may 23 (pp. 1485-1489). IEEE evasion techniques: A survey. arXiv preprint arXiv 1811:01190 Phase Bot - A Fileless Rootkit (Part 1) (2014). https://www.malwaretech.com/2 Aljaedi A, Lindskog D, Zavarsky P, Ruhl R, Almari F (2011) Comparative analysis of 014/12/phase-bot-fileless-rootki.html volatile memory forensics: Live response vs. memory imaging. In: 2011 IEEE Phase Bot - A Fileless Rootkit (Part 2) (2014). https://www.malwaretech.com/2 Third International Conference on Privacy, Security, Risk and Trust and 2011 014/12/phase-bot-fileless-rootkit-part-2.html IEEE Third International Conference on Social Computing, pp 1253–1258. Pilli ES, Joshi RC, Niyogi R (2010) Network forensic frameworks: survey and https://doi.org/10.1109/PASSAT/SocialCom.2011.68 research challenges. Digit Investig 7(1–2):14–27. https://doi.org/10.1016/j.diin. Allman, M., Ostermann, S.: FTP security considerations (1999). https://tools.ietf.org/ 2010.02.003. 1112.6098 html/rfc2577 Pontiroli SM, Martinez FR (2015) The tao of .net and powershell malware analysis. Almulhem, A.: Network forensics: Notions and challenges. In: 2009 IEEE In: Virus Bulletin Conference International Symposium on Signal Processing and Information Process Hollowing (2019). https://attack.mitre.org/techniques/T1093/ Technology (ISSPIT), pp. 463–466 (2009). doi:https://doi.org/10.1109/ISSPIT. Rani R, Kumar S, Dohare U (2019) Trust evaluation for light weight security in 2009.5407485.IEEE sensor enabled internet of things: game theory oriented approach. IEEE Bhasin V, Kumar S, Saxena P, Katti C (2018) Security architectures in wireless Internet Things J 6(5):8421–8432. https://doi.org/10.1109/JIOT.2019.2917763 sensor network. Int J Inf Technol:1–12. https://doi.org/10.1007/s41870- Ren, W.: On A Network Forensics Model For Information Security. ISTA, 229–234 018-0103-6 (2004) Bulazel A, Yener B (2017) A survey on automated dynamic malware analysis Carbon Black Threat Report: Non-malware attacks and Ransomware take evasion and counter-evasion: pc, mobile, and web. In: Proceedings of the 1st center stage in 2016 (2016). https://www.carbonblack.com/2016/12/15/ reversing and offensive-oriented trends symposium, p 2 ACM carbon-black-threat-report-non-malware-attacks-ransomware-takecenter- Burdach M (2006) Physical memory forensics. USA, Black Hat stage-2016/ Case A, Richard GG III (2017) Memory forensics: the path forward. Digit Investig Rhodes KA (2001) Code red, code red II, and SirCam attacks highlight need for 20:23–33 proactive measures. GAO Testimony Before the Subcommittee on Cohen M (2017) Scanning memory with Yara. Digit Investig 20:34–43. https://doi. Government Efficiency org/10.1016/j.diin.2017.02.005 Rivera BS, Inocencio RU (2015) Doing more with less: a study of fileless infection Danyliw R, Householder A (2001) CERT advisory CA-2001-19: "code red" worm attacks. VB 2015 exploiting buffer overflow in IIS indexing service DLL Ruff N (2008) Windows memory forensics. J Comput Virol 4(2):83–100 Demystifying Fileless Threats (2019). https://www.mcafee.com/enterprise/en-in/ Informational Series: What is Fileless malware? (2019). https://www.carbonblack. lp/endpoint/fileless-attacks.htm com/resources/definitions/what-is-fileless-malware/ Sudhakar and Kumar Cybersecurity (2020) 3:1 Page 12 of 12

Shackleford D (2016) Active breach detection: the next-generation security technology? SANS institute information security Reading room. In: SANS Institute Information Security Reading Room Shulmin, A., Prokhorenko, M.: Lurk banker Trojan: exclusively for Russia (2016). https://securelist.com/lurk-banker-trojan-exclusively-for-russia/75040/ Sood, A.K., Enbody, R.J., Bansal, R.: The art of stealing banking information - form grabbing on fire (2011). https://www.virusbulletin.com/virusbulletin/2011/11/ art-stealing-banking-information-form-grabbing-fire SQL Slammer (2019). https://en.wikipedia.org/wiki/SQL Slammer Stop Fileless Attacksat Pre-execution (2017). https://explore.bitdefender.com/ solution-briefs/stop-fileless-attacks-pre-execution Sudhakar P, S.K. (2018) An approach to improve load balancing in distributed storage systems for NoSQL databases: MongoDB. In: Pattnaik PK, Rautaray SS, Das H, Nayak J (eds) Progress in computing, analytics and networking. Springer, Singapore, pp 529–538 Tan Q, Gao Y, Shi J, Wang X, Fang B, Tian Z (2018) Toward a comprehensive insight into the eclipse attacks of tor hidden services. IEEE Internet Things J 6(2):1584–1593 Team CTG (2017) Threat spotlight: the truth about fileless malware [blog post] Tian Z, Cui Y, An L, Su S, Yin X, Yin L, Cui X (2018) A real-time correlation of host-level events in cyber range service for smart campus. IEEE Access 6:35355–35364 Tian Z, Gao X, Su S, Qiu J, Du X, Guizani M (2019b) Evaluating reputation management schemes of internet of vehicles based on evolutionary game theory. IEEE Trans Veh Technol 68(6):5971–5980. https://doi.org/10.1109/TVT. 2019.2910217 Tian Z, Li M, Qiu M, Sun Y, Su S (2019d) Block-def: a secure digital evidence framework using blockchain. Inf Sci 491:151–165 Tian Z, Luo C, Qiu J, Du X, Guizani M (2019e) A distributed deep learning system for web attack detection on edge devices. IEEE Transactions on Industrial Informatics Tian Z, Shi W, Wang Y, Zhu C, Du X, Su S, Sun Y, Guizani N (2019a) Real-time lateral movement detection based on evidence reasoning network for edge computing environment. IEEE Trans Ind Inform 15(7):4285–4294. https://doi. org/10.1109/TII.2019.2907754 Tian Z, Su S, Shi W, Du X, Guizani M, Yu X (2019c) A data-driven method for future internet route decision modeling. Futur Gener Comput Syst 95:212–220 Tobergte DR, Curtis S (2013) The Art of Memory Forensics, vol 53, pp 1689–1699. https://doi.org/10.1017/CBO9781107415324.004 arXiv:1011.1669v3 Vacca, J.R.: Network Forensics. In: Computer and Information Security Handbook, 2nd edi edn., pp.649–660. Morgan Kaufmann Publishers is an imprint of Elsevier, United States (2013) Valdez, R., Sconzo, M.: Threat alert: “PowerWare,” new Ransomware written in PowerShell, targets organizations via Microsoft word (2016). https://www. carbonblack.com/2016/03/25/threat-alert-powerwarenew-ransomware- written-in-powershell-targets-organizations-via-microsoft-word/ Watson D, Riden J (2008) The honeynet project: data collection tools, infrastructure, archives and analysis. Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008:24– 30. https://doi.org/10.1109/WISTDCS.2008.11 Wueest, C., Anand, H.: Living off the land and fileless attack techniques (2017). https://www.symantec.com/content/dam/symantec/docs/security-center/ white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf Zaharia, A.: Understanding Fileless malware infections - the full guide (2016). https://heimdalsecurity.com/blog/fileless-malware-infections-guide/ Zeltser L (2017) The history of Fileless malware-looking beyond the buzzword Zhang, E.: What is Fileless malware (or a non-malware attack)? Definition and best practices for Fileless malware protection (2018). https://digitalguardian. com/blog/what-fileless-malware-or-non-malware-attack-definition-and-best- practices-fileless-malware Zou CC, Gong W, Towsley D (2002) Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on computer and communications security, vol 147, p 138 ACM

Publisher’sNote Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.